CSP: group policies in didAddContentSecurityPolicy.

third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp

 /*
  * Copyright (C) 2011 Google, Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
@@ skipping 306 matching lines @@
     begin = position;
   }
 }
 
 void ContentSecurityPolicy::reportAccumulatedHeaders(
     LocalFrameClient* client) const {
   // Notify the embedder about headers that have accumulated before the
   // navigation got committed.  See comments in
   // addAndReportPolicyFromHeaderValue for more details and context.
   DCHECK(client);
-  for (const auto& policy : m_policies) {
-    client->didAddContentSecurityPolicy(
-        policy->header(), policy->headerType(), policy->headerSource(),
-        {policy->exposeForNavigationalChecks()});
-  }
+  WebVector<WebContentSecurityPolicy> policies(m_policies.size());
+  for (size_t i = 0; i < m_policies.size(); ++i)
+    policies[i] = m_policies[i]->exposeForNavigationalChecks();
+  client->didAddContentSecurityPolicies(policies);
 }
 
 void ContentSecurityPolicy::addAndReportPolicyFromHeaderValue(
     const String& header,
     ContentSecurityPolicyHeaderType type,
     ContentSecurityPolicyHeaderSource source) {
   size_t previousPolicyCount = m_policies.size();
   addPolicyFromHeaderValue(header, type, source);
   if (document() && document()->frame()) {
     // Notify about the new header, so that it can be reported back to the
     // browser process.  This is needed in order to:
     // 1) replicate CSP directives (i.e. frame-src) to OOPIFs (only for now /
     // short-term).
     // 2) enforce CSP in the browser process (long-term - see
     // https://crbug.com/376522).
     // TODO(arthursonzogni): policies are actually replicated (1) and some of
-    // them are (or will) be enforced on the browser process (2). Stop doing (1)
-    // when (2) is finished.
-
-    // Zero, one or several policies could be produced by only one header.
-    std::vector<blink::WebContentSecurityPolicy> policies;
-    for (size_t i = previousPolicyCount; i < m_policies.size(); ++i)
-      policies.push_back(m_policies[i]->exposeForNavigationalChecks());
-    document()->frame()->client()->didAddContentSecurityPolicy(
-        header, type, source, policies);
+    // them are enforced on the browser process (2). Stop doing (1) when (2) is
+    // finished.
+    WebVector<WebContentSecurityPolicy> policies(m_policies.size() -
+                                                 previousPolicyCount);
+    for (size_t i = previousPolicyCount; i < m_policies.size(); ++i) {
+      policies[i - previousPolicyCount] =
+          m_policies[i]->exposeForNavigationalChecks();
+    }
+    document()->frame()->client()->didAddContentSecurityPolicies(policies);
   }
 }
 
 void ContentSecurityPolicy::setOverrideAllowInlineStyle(bool value) {
   m_overrideInlineStyleAllowed = value;
 }
 
 void ContentSecurityPolicy::setOverrideURLForSelf(const KURL& url) {
   // Create a temporary CSPSource so that 'self' expressions can be resolved
   // before we bind to an execution context (for 'frame-ancestor' resolution,
@@ skipping 1277 matching lines @@
   if (SecurityOrigin::shouldUseInnerURL(url)) {
     return SchemeRegistry::schemeShouldBypassContentSecurityPolicy(
         SecurityOrigin::extractInnerURL(url).protocol(), area);
   } else {
     return SchemeRegistry::schemeShouldBypassContentSecurityPolicy(
         url.protocol(), area);
   }
 }
 
 }  // namespace blink